| Acceptable use policy and IT security | | | | considered potentially malicious) should not be received |
| While banning staff from sending or receiving personal | | | | or sent. The dissemination of illegal, offensive or other |
| emails is unrealistic, organizations can set boundaries | | | | inappropriate content should also be prohibited. |
| that define reasonable, excessive or inappropriate use, | | | | Employees should understand that companies are |
| through a comprehensive, updated and enforced email | | | | obliged to report any unlawful behavior to the |
| acceptable use policy (AUP). A well-articulated email | | | | authorities, and that inappropriate activity can invoke |
| AUP addresses four core security and operational | | | | disciplinary proceedings. Some organizations may also |
| areas: | | | | choose to block access to web-based email services, |
| Compliance | | | | such as Hotmail and Gmail. |
| Safe working environment | | | | AUP enforcement |
| Data leakage | | | | The email AUP must be enforced if employees are to |
| Asset abuse. | | | | adhere to its rules. If they realize that their messages |
| A framework for corporate governance | | | | are reviewed and stored – and then retrieved if |
| According to IDC Research 97 billion emails are sent | | | | needed – employees might think twice before |
| worldwide each day1, and it is estimated that 80 | | | | misusing the email system. An AUP should provide |
| percent of an organization’s operational records | | | | total transparency about how an organization intends |
| are stored within the email infrastructure. | | | | to police its email system, ensuring that there are no |
| Governments around the world have responded to | | | | surprises in the event of disciplinary action being |
| email’s growing use as a business-critical tool by | | | | invoked. |
| introducing increasing levels of legislation governing the | | | | Enforcement through technology |
| security, storage and retrieval of email. Falling foul of | | | | The key to enforcement is the deployment of IT |
| such legislation not only damages an organization’s | | | | security solutions capable of auditing everyday email |
| reputation, but can lead to fines, market de-listings and, | | | | use, spotting and tracking potential or confirmed |
| in extreme cases, prosecutions and prison sentences | | | | violations and notifying the appropriate managers if a |
| for senior management. | | | | violation has occurred. Although it is not necessary to |
| Keeping abreast of such legislation is challenging, and | | | | inform staff about the actual technology behind the |
| an AUP can help by providing a formal framework | | | | solutions deployed, it is worth explaining their top-level |
| that is easily reviewed, audited and enforced to ensure | | | | capabilities. |
| compliance. | | | | *This is an example only. You should seek formal legal |
| Increasing compliance | | | | guidance when developing your own AUP. |
| Email is now central to the day-to-day operation of | | | | Effective email policies: why enforcing proper use is |
| practically all organizations, regardless of size or sector. | | | | critical to security |
| Yet, while it is far too important to lock down, email | | | | Gateway email protection. Commonly deployed to |
| poses a large enough risk where it cannot be left | | | | block spam and malicious emails from entering |
| unregulated, especially as nearly all employees expect | | | | networks, gateway protection is highly effective at |
| a certain level of personal email use while at work. | | | | stopping suspicious or unwanted file attachments, |
| According to employers, however, it is their own | | | | offensive content and sensitive corporate information. |
| workforces that pose the greatest threat to security | | | | The leading solutions scan outbound and inbound |
| (figure 1). | | | | messages and attachments, ensuring that no |
| Effective email policies: why enforcing proper use is | | | | unauthorized content leaves the network. |
| critical to security | | | | Organizations can choose either to block or quarantine |
| Creating a safe working environment | | | | these emails, and administrators are automatically |
| An email AUP will promote a safe, productive working | | | | notified of attempted violations. |
| environment where employees can operate without | | | | Email server protection. Security solutions at the email |
| fear of exposure to illegal, abusive, inappropriate or | | | | server level protect against the internal circulation of |
| malicious material, such as pornography, jokes, | | | | unwanted content. By scanning inter-departmental |
| harassment or threats. By removing ambiguity and | | | | emails for jokes, photos, chain letters, malware and |
| ensuring all employees work to the same rules, the | | | | confidential information which the recipient has no |
| policy sets clear expectations on what constitutes | | | | authority to access, organizations can further bolster |
| acceptable email content. | | | | their email security. As with gateway protection, any |
| Preventing leakage of confidential information | | | | violation will be flagged up to the relevant managers. |
| According to IDC email is the number one source of | | | | Endpoint protection. Organizations that permit access |
| leaked business information2. Additional research | | | | to web-based mail over the corporate network should |
| confirms that most organizations are concerned about | | | | ensure that all endpoint computers – desktops, |
| the loss of sensitive data via email. | | | | laptops and mobile devices – are running up-todate |
| Most of the time this can be accidental (thanks to | | | | security software. Emails from webmail accounts |
| functions like Autofill) with research showing that half | | | | bypass corporate gateway defences, and so have an |
| of employees have sent a message containing | | | | unobstructed route into an organization. Endpoint |
| sensitive or potentially embarrassing information by | | | | protection closes this loophole by picking up any |
| mistake3. In addition, analysts The Radicati Group | | | | malicious or unwanted content that employees |
| found that 77 percent of users have forwarded | | | | attempt to download from this source. |
| business emails to their personal accounts in order to | | | | Procedures for reporting misuse |
| complete work when away from the office4. Even | | | | Employees should be encouraged to report the alleged |
| this most innocent of practices can leave an | | | | misuse of email resources and a clear and anonymous |
| organization in breach of compliance regulations and | | | | procedure must be put in place to facilitate this. |
| can place commercial information in unauthorized | | | | Sanctions for breaching AUP regulations |
| hands. | | | | All users must understand the potential consequences |
| Preventing asset abuse | | | | of not complying with the email |
| Excessive and/or inappropriate personal use of email | | | | AUP. These consequences will depend on several |
| wastes bandwidth and placesstorage archives under | | | | factors, including whether the abuser is a first or |
| strain, impacting on an organization’s ability to use | | | | repeat offender, whether the breach represents illegal, |
| its email infrastructure. | | | | offensive or merely wasteful behavior, the regulatory |
| This is particularly problematic when employees | | | | environment in which the company operates and the |
| circulate non-critical attachments, such as family | | | | firm’s cultural outlook. The sanctions will relate to |
| photos or videos. Prohibiting or restricting this practice | | | | the severity of the offense, ranging from verbal and |
| preserves the integrity of the email system and can | | | | written warnings, and on to dismissals. |
| extend the life of storage solutions. It also ensures that | | | | Who is responsible for the AUP? |
| IT staff remain focused on their core responsibilities | | | | The HR IT, and legal departments are all stakeholders |
| and do not spend time clearing personal emails from | | | | in the creation and enforcement of an email AUP. |
| the system. | | | | Employees should also contribute to an AUP, enabling |
| What an AUP should cover | | | | greater transparency and buy-in and ensuring that |
| An AUP should set out exactly how an employee is | | | | everyone is aware of its existence. At some |
| expected to use an organization’s email system, | | | | organizations, the CEO or other board members may |
| containing prescriptive advice on best practice and | | | | take an active involvement, as they can be held |
| clearly defining prohibited behavior. | | | | personally liable for email misuse by any employee. |
| It is essential that regulations are explicitly stated and | | | | Typically, staff from all three departments should work |
| easily understood. The content of an AUP will vary | | | | together to develop the policy, with specific |
| between organizations, reflecting their regulatory | | | | responsibilities divided as follows. |
| environment, email quantity, IT resources and culture. | | | | HR role |
| Some may choose to incorporate rules governing | | | | The HR department owns the overall process of |
| email use into a wider AUP that covers all technology | | | | developing an email AUP, taking responsibility for |
| use, from telephones to web browsing to | | | | awareness, distribution and training. Using data provided |
| photocopying.use is critical to security | | | | by the IT department, and by responding to reports of |
| However, in general, an email AUP covers threemain | | | | alleged misuse, HR conducts audits to ensure that |
| elements: | | | | rules are observed, investigates suspected policy |
| Appropriate and inappropriate email use | | | | contraventions, and implements disciplinary procedures. |
| Policy enforcement | | | | Effective email policies: why enforcing proper use is |
| Policy sanctions. | | | | critical to security |
| Areas that should always be covered include: | | | | IT role |
| Inbox management | | | | By using the security solution’s reporting features, |
| In response to the continued growth in email use, | | | | the IT team generates the forensic evidence needed |
| organizations should attempt to limit the volume of | | | | to identify and log email abuse. The data gathered |
| messages stored in employee mailboxes. The number | | | | represents the company’s principal source of |
| of emails held in archiving systems that capture both | | | | security intelligence, and can be pieced together to |
| internal and external mail should also be limited, ensuring | | | | analyze each breach and pinpoint the staff responsible. |
| resources are not overloaded and allowing for easy | | | | This information can then escalated to HR. |
| message retrieval. | | | | The IT department also advises HR on the changing |
| Circulation of attachments | | | | capabilities of the organization’s IT defenses. For |
| Users commonly view email as a quick method of | | | | example, if a new solution is deployed to scan |
| sharing content with colleagues. However, this practice | | | | outbound messages for sensitive material (e.g. credit |
| needlessly uses up bandwidth and archive space. | | | | card or social security numbers), the AUP might need |
| Instead, all attachments should be removed before an | | | | to be amended and email users might require additional |
| email is stored and saved on an appropriate server. | | | | training. |
| Additionally, employees should be instructed on how to | | | | Legal role |
| use shared network folders to circulate files internally, | | | | The in-house or external legal department ensures that |
| rather than attaching them to emails. Consider that one | | | | the AUP is in line with legal and compliance |
| person sending a 5 MB attachment to five other | | | | requirements, and will advise HR to amend it if |
| employees results in more than 25 MB of email server | | | | regulations change. |
| storage requirements. Placing this file on a shared | | | | Summary |
| server and circulating a link to its location not only | | | | While the threat of spam and malware is usually linked |
| greatly reduces the size of the email, it prevents | | | | to inbound emails, an organization’s own users can |
| unnecessary duplication of files across multiple | | | | often cause just as much or more damage through |
| locations. | | | | the emails they send or share. |
| Remote access of email services | | | | Employees can be responsible for data leakage,the |
| Rules should be set governing remote access to the | | | | dissemination of inappropriate or offensive content, and |
| corporate email network, both from employees’ | | | | consuming bandwidth through the unnecessary sharing |
| own computers and over the internet/public Wi-Fi | | | | of files, each of which represent a considerable threat |
| networks. Some organizations ban this practice | | | | to the email network. To ensure that employees |
| altogether, while others permit it only if the computer | | | | recognize these risks, organizations should implement a |
| accessing the network is certified as secure by, for | | | | comprehensive email acceptable use policy which, to |
| example, a network access control (NAC) solution. | | | | be effective, requires enterprise-grade security |
| Personal/non-business critical use of email | | | | solutions for the gateway, the email server and all |
| File types categorized as non-business critical (for | | | | endpoint computers. |
| example, JPEGs, MP3s, executables and anything | | | | |